Overview

overview

10

Static

static

10

67f998093c...26.exe

windows7-x64

10

67f998093c...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67f998093c11d8a104aef7a92a2d5b26.exe

  • Size

    2.2MB

  • MD5

    67f998093c11d8a104aef7a92a2d5b26

  • SHA1

    cea4392bfb620e2d5b303c7f39fe68a30080a771

  • SHA256

    f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1

  • SHA512

    e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92

  • SSDEEP

    49152:AsSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:ALlK6d3/Nh/bV/Oq3Dxp2RUG

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 29 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\67f998093c11d8a104aef7a92a2d5b26.exe
    "C:\Users\Admin\AppData\Local\Temp\67f998093c11d8a104aef7a92a2d5b26.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TXzTWsAaM8.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2320
        • C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe
          "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1620
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67896007-7781-4bb8-86c6-964961849184.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe
              "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1956
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de78450d-167f-42a3-9b10-aa09ce4fddb3.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2100
                • C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe
                  "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1924
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f232cc66-3f39-4e8e-8425-c3a07ca42094.vbs"
                    8⤵
                      PID:988
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3118729d-d616-4ad2-b3bf-ee7d19192733.vbs"
                      8⤵
                        PID:1728
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3990d69f-3508-4f9d-b788-9a511d62cefc.vbs"
                    6⤵
                      PID:2164
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7e386af-0d8d-4f02-afc7-afafeae398a8.vbs"
                  4⤵
                    PID:1520
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2604
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2332
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2452
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1100
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1104
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2996
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2092
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:916
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\taskhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2220
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:644
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2612
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2396
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2328
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1060
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2360
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2392
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\explorer.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1768
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\explorer.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1116
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\en-US\explorer.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:592
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2164
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2096
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2244
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\security\audit\Idle.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2272
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\security\audit\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1876
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\security\audit\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2104

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
              Filesize

              2.2MB

              MD5

              67f998093c11d8a104aef7a92a2d5b26

              SHA1

              cea4392bfb620e2d5b303c7f39fe68a30080a771

              SHA256

              f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1

              SHA512

              e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92

              Download Submit

            • C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCX37C8.tmp
              Filesize

              2.2MB

              MD5

              70f35d04041d9c029d59586fc6aa3819

              SHA1

              a9f37462584d22bad8909ffc1c047cdfee84f049

              SHA256

              517ef97c6f4481e5d6eac2ebd79fbbfe34c9dbe59a0f775c0c2a3e3b942aaae6

              SHA512

              1739c6ce05e4fbee9d2829a95b3ca910b28a0f853d2a6e11e779fae7b419c46b7fd22641f28c2b91b826dd3905e478a23fa1e55c31665adea3f6a042d7078f53

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\67896007-7781-4bb8-86c6-964961849184.vbs
              Filesize

              743B

              MD5

              f63a15d572534004caf118c2fbad4572

              SHA1

              a186add330c5b9d603567dce2ea009479c2ff931

              SHA256

              5d56f71c1580892222e833db056dd9bba45476168af888f6b8300bb8f844d556

              SHA512

              2df8567c0ad6bd60887cfd9a46b472753f3029573584bc9ec1f252c46f7c4621b95feb810bdd38933ca798f0b90054c9605a82138fa98516cce5db51a8e6bb20

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\TXzTWsAaM8.bat
              Filesize

              232B

              MD5

              69426eca21aada6397f3b3ec855da6ee

              SHA1

              fe16ef9dfdcc7a4a95c2bc59f5bdf1bdbbecb654

              SHA256

              1fbc0cd89e85d9e66b4e8b57594d80e5264e57ed1132ae17a4f192265966cbc3

              SHA512

              3480351236a03d79d4312d4da2ff47396e8d012c6f371c756a6c2a08920fde6d4fbd0c08d3419c7b8484a44473e2db3749f2b1b66696e4524c5dbb64477e7adb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\de78450d-167f-42a3-9b10-aa09ce4fddb3.vbs
              Filesize

              743B

              MD5

              2a45e103742839f6f4ed3e2deb3256ca

              SHA1

              2f8bf7e4786b749f30bfe31c451552d000aa5fd0

              SHA256

              7d44909b83b14214dee9e6d75f62758b3c9e26bf7814dd34544b36b0fbf2431b

              SHA512

              8734f820c03dfe975af32ec814c30e6c7f41771345a40fa02cdde3d8db42c8cd2bae5c36d507e2407ddde33da240c45fe214ba1433c14d38e4d9db36e5099823

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\f232cc66-3f39-4e8e-8425-c3a07ca42094.vbs
              Filesize

              743B

              MD5

              65bf13a5fac45fea9aace8ca841039ca

              SHA1

              319c2d17d9e12a5dccbe07c6dfffaba17afa3222

              SHA256

              b2324bfa0fff55336549001ee3d6dbd198bcde408b1c904e63a1479817924484

              SHA512

              6ceb7b8ff98775e8e373866836094d276a75c297f58f8c6ca2b367340d4f9faea9b18709facebefe59ecc294231788f52b28096b65bf9b9e7cb980bc59e6e4ab

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\f7e386af-0d8d-4f02-afc7-afafeae398a8.vbs
              Filesize

              519B

              MD5

              5df94a719ab0f3418ce510492b63cad9

              SHA1

              f349cfb9c028ec3caaf26dc461643383c1ac15b4

              SHA256

              dc51a88c0d2b409a5df69cfeab7d5a2a371125136d1c61c367190c0bbee8d27d

              SHA512

              be9ceb44c098d11b114fff504666597c91b0bdb12aac0b091f954bd9b8736d117f1d709049c1c5c687fce20a76d7a3f99ee47a5ca99926d72bc973161709a23f

              Download Submit

            • memory/1620-168-0x0000000001060000-0x000000000128E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/2692-19-0x0000000002440000-0x000000000244C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2692-24-0x0000000002490000-0x0000000002498000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2692-10-0x0000000000650000-0x0000000000658000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2692-11-0x00000000021F0000-0x0000000002200000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2692-12-0x0000000000660000-0x000000000066A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2692-13-0x0000000000670000-0x000000000067C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2692-14-0x0000000002280000-0x0000000002288000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2692-15-0x0000000002290000-0x000000000229C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2692-16-0x0000000002400000-0x0000000002408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2692-18-0x0000000002410000-0x0000000002422000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2692-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2692-20-0x0000000002450000-0x000000000245C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2692-21-0x0000000002460000-0x000000000246C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2692-22-0x0000000002470000-0x000000000247A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2692-23-0x0000000002480000-0x000000000248E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2692-9-0x0000000000640000-0x000000000064C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2692-25-0x00000000024A0000-0x00000000024AE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2692-26-0x000000001A930000-0x000000001A93C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2692-27-0x000000001A940000-0x000000001A948000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2692-28-0x000000001A950000-0x000000001A95C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2692-29-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2692-8-0x0000000000620000-0x0000000000636000-memory.dmp

              Filesize

              88KB

              Download

            • memory/2692-7-0x0000000000610000-0x0000000000620000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2692-164-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2692-6-0x0000000000480000-0x0000000000488000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2692-5-0x00000000001F0000-0x000000000020C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2692-4-0x00000000001E0000-0x00000000001EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2692-3-0x00000000001D0000-0x00000000001DE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2692-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2692-1-0x0000000000820000-0x0000000000A4E000-memory.dmp

              Filesize

              2.2MB

              Download